Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/51798?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51798?format=api", "vulnerability_id": "VCID-9jzm-m7bx-akdg", "summary": "etcd vulnerable to TOCTOU of gateway endpoint authentication\n### Vulnerability type\nAuthentication\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. \n\n### Detail\nThe gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", "aliases": [ { "alias": "GHSA-h8g9-6gvh-5mrc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "affected_packages": [], "references": [ { "reference_url": "https://github.com/etcd-io/etcd", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd" }, { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc" } ], "weaknesses": [ { "cwe_id": 367, "name": "Time-of-check Time-of-use (TOCTOU) Race Condition", "description": "The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state." } ], "exploits": [], "severity_range_score": "0.1 - 3", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jzm-m7bx-akdg" }